Hi there,
I conducted the Light Reading tests and I've also been involved in several
comparisons of IPSec devices, most recently a 12-product bakeoff published
here:
http://www.commweb.com/article/COM20000912S0009
I don't know whether JNPR boxen support IPSec gateway functions; given their
role as core devices I'd be surprised if they did.
Out at the edges it is true that IPSec can seriously degrade performance.
How seriously? On 100Base-T test beds, I've seen throughput drop from 95
Mbit/s to as low as 2 Mbit/s when IPSec crypto and authentication are
enabled. Latency also jumps because of authentication, encryption, and
encapsulation.
Hardware acceleration has brought several vendors to the point where they
can handle 100-Mbit/s circuits comfortably. The next big challenge is IPSec
at gigabit rates. Folks like Cisco, Netscreen, and Nokia are looking to get
there.
There were a lot of bogus performance claims made with the 100-Mbit/s
products, and I suspect we'll see lots of smoke around gigabit claims as
well. When vendors give you IPSec performance numbers some questions to ask
include:
--what packet sizes did you use? (much easier to get good numbers with long
packets)
--what crypto did you use? (DES is easy but insecure; 3DES is better)
--what message authentication algorithm did you use? (SHA-1 and MD5 are the
only good answers here)
--how many concurrent IPSec connections can you handle? (and by concurrent
be sure each has its own security association)
In the absence of hard numbers, I hope these guidelines are helpful in
evaluating IPSec performance claims.
Regards,
David Newman
Network Test
-----Original Message-----
From: Steve Holman [mailto:sholman@juniper.net]
Sent: Thursday, May 24, 2001 6:01 PM
To: 'Attneave, Philip'; 'juniper-nsp@puck.nether.net'
Subject: RE: [j-nsp] IPSec performance benchmarks for M40 and M160
Actually, this test dealt only with route filtering. It did not address any
encrypting at all. IPSec is not support on Juniper routers. There is an
extensive amount of filtering supported, but encryption is not.
Best regards,
Steve
-----Original Message-----
From: Attneave, Philip [mailto:Philip.Attneave@METROKC.GOV]
Sent: Thursday, May 24, 2001 11:27 AM
To: 'juniper-nsp@puck.nether.net'
Subject: RE: [j-nsp] IPSec performance benchmarks for M40 and M160
If you have not already seen it, this article has some good information
about performance with filters turned on. I don't recall it specifically
talking about IPSec, but I suspect the authors may have more information.
http://www.lightreading.com/document.asp?doc_id=4009&print=true
Philip Attneave
Network Architect Phone (206) 263-4869
I-Net Project
King County Washington FAX (206)-205-5023
700 Fifth Avenue Suite 2300
Seattle WA 98104-5002
http://www.metrokc.gov/I-NET/overview.htm
e-mail: philip.attneave@metrokc.gov
-----Original Message-----
From: RJ Hwang (EUD) [mailto:RJ.Hwang@am1.ericsson.se]
Sent: Thursday, May 24, 2001 10:05 AM
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] IPSec performance benchmarks for M40 and M160
Hi -- Quick question regarding 'turning on the IPSec encryption' I have read
in some articles that this can reduce the throughput of routers (not
necessarily Juniper) by as much as 1-2 orders magnitude (i.e., 10x-100x
reduction). Does anyone has test result of IPSec performance benchmarks for
M40 and M160 by using small packets and large packets.
Thanks
This archive was generated by hypermail 2b29 : Mon Aug 05 2002 - 10:42:42 EDT